- [ ] Polynomial Rings
- [ ] Complex Numbers
- [ ] LWE
- [ ] RLWE

## Polynomial Rings

TBD: Some details about the polynomial rings here...

## Mathematical Background:

### Complex Numbers 

TBD: Here goes some short info about complex numbers.

Ref: [Complex Numbers](https://www.mathsisfun.com/numbers/complex-numbers.html)

### Learning with Error (LWE)

**Learning With Errors (LWE)** is a fundamental problem in post-quantum cryptography. It’s believed to be hard to solve even with quantum computers, making it a strong foundation for  **encryption**, **digital signatures**, and **fully homomorphic encryption** schemes. Noise is introduced to a value of a secret to hide the secret from unauthorized users.

---

**The Basic Idea**

Given a secret vector $ \mathbf{s} \in \mathbb{Z}_q^n $, the LWE problem involves random linear equations of the form:

$$
\mathbf{A}\mathbf{s} + \mathbf{e} \equiv \mathbf{b} \pmod{q},
$$

where:

- $ \mathbf{A} $ is an $ m \times n $ matrix over $ \mathbb{Z}_q $.  
- $ \mathbf{s} $ is the *secret* vector of length $ n $.  
- $ \mathbf{e} $ is the *error* (noise) vector in $ \mathbb{Z}_q^m $, with small integer entries (often from a discrete Gaussian).  
- $ \mathbf{b} $ is the resulting vector of length $ m $.  

The core challenge: from $ (\mathbf{A}, \mathbf{b}) $, recover $ \mathbf{s} $ (or predict $ \mathbf{b} $ from new rows of $ \mathbf{A} $).

---

**Why is it hard to solve this problem?**

**Noise Hides the Secret:**  
   Without the noise $ \mathbf{e} $, you have a straightforward linear system $ \mathbf{A}\mathbf{s} = \mathbf{b} \pmod{q} $. That’s easy to solve if $ \mathbf{A} $ has full rank.  
   But **small “error”** in each equation destroys perfect linearity, making it hard to find $ \mathbf{s} $.


---

**Parameters**

- **$ q $**: a modulus (e.g., a prime or power of 2).  
- **$ n $**: the dimension or length of the secret $ \mathbf{s} $.  
- **$ m $**: the number of samples (rows in $ \mathbf{A} $).  
- **Distribution for $ \mathbf{e} $**: typically a discrete Gaussian with standard deviation $ \sigma $.  

You can watch [this video](https://www.youtube.com/watch?v=K026C5YaB3A) for additional explanation.


### Ring Learning with Error

Learning with errors over rings is the LWE problem specialised to polynomial rings over finite fields.

**Basic Setup:**

Let 
$$
R = \mathbb{Z}[x]/(\phi(x))
$$ 
be a polynomial ring modulo a [monic](https://en.wikipedia.org/wiki/Monic_polynomial), irreducible polynomial $ \phi(x) $ of degree $ n $. Typically, $ \phi(x) $ is chosen as a cyclotomic polynomial (explained below). Define 
$$
R_q = R/qR
$$ 
where $ q $ is a modulus. Elements of $ R_q $ are polynomials with coefficients in 
$$
\mathbb{Z}_q = \mathbb{Z}/q\mathbb{Z}.
$$

$\mathbb{Z}_q$ denotes that each coefficient is in the range $[0...q-1]$.


Given:
- A secret element $ s(x) \in R_q $ chosen uniformly at random.
- A noise distribution $ \chi $ over $ R $ that outputs "small" error polynomials.

We obtain samples of the form:
$$
(a(x),\; b(x) = a(x) \cdot s(x) + e(x) \bmod q)
$$
where:
- $ a(x) \in R_q $ is chosen uniformly at random.
- $ e(x) \in R $ is drawn from the error distribution $ \chi $.

**Decision and Search Variants**

There are two main variants of the Ring-LWE problem:
1. **Search Ring-LWE:** Given multiple samples $ (a_i(x), b_i(x)) $, recover the secret $ s(x) $.
2. **Decision Ring-LWE:** Distinguish between tuples $ (a_i(x), b_i(x)) $ coming from the Ring-LWE distribution and tuples where $ b_i(x) $ is uniformly random in $ R_q $.

**Security Intuition**

The hardness of Ring-LWE is based on:
- The assumed difficulty of solving certain lattice problems over ideal lattices in $ n $-dimensional space.
- The structure introduced by using rings, which allows for efficiency improvements while maintaining security.

If an adversary could solve the decision version of Ring-LWE, they would be able to distinguish between noisy linear equations and random data, which is as hard as approximating certain lattice problems.

**Mathematical Expression**

A single Ring-LWE sample can be expressed as:
$$
b(x) \equiv a(x) \cdot s(x) + e(x) \pmod{q}
$$
with $ \deg(\phi(x)) = n $, meaning arithmetic is performed modulo $ \phi(x) $.

**Applications**

Ring-LWE is used to build various cryptographic primitives, including:
- Public-key encryption schemes.
- Digital signature schemes.
- Homomorphic encryption systems.

The algebraic structure of polynomial rings allows for more compact keys and faster computations compared to non-ring LWE schemes, while still relying on hard lattice problems for security.

You can visit [this link](https://en.wikipedia.org/wiki/Ring_learning_with_errors#Ring_learning_with_errors_homomorphic_encryption_(RLWE-HOM)) for additional information.

### Primitive root of unity
Any complex number that yields 1 when raised to some positive integer power n.
1. $ \zeta^n = 1 $
2. $ \zeta^k \neq 1 $ for all integers $ k $ such that $ 0 < k < n $.

$\zeta^n = e^{i(2\pi \frac{k}{n})}$

For 2N-th roots of unity, this means any number $\zeta$ that satisfies $\zeta^{2N}=1$

**Example of a Primitive Root of Unity:**

Let’s take $ n = 4 $. In this case, we are looking for the **primitive 4th roots of unity**, which are complex numbers that satisfy:

1. $ \zeta^4 = 1 $  
2. $ \zeta^k \neq 1 $ for $ 0 < k < 4 $.  

Using the formula $ \zeta = e^{i(2\pi k / n)} $, the 4th roots of unity are:

- $ \zeta_0 = e^{i(2\pi \cdot 0 / 4)} = e^{i \cdot 0} = 1 $
- $ \zeta_1 = e^{i(2\pi \cdot 1 / 4)} = e^{i\pi/2} = i $
- $ \zeta_2 = e^{i(2\pi \cdot 2 / 4)} = e^{i\pi} = -1 $
- $ \zeta_3 = e^{i(2\pi \cdot 3 / 4)} = e^{i3\pi/2} = -i $

The **primitive 4th roots of unity** are $ \zeta_1 = i $ and $ \zeta_3 = -i $, because:

- They satisfy $ \zeta^4 = 1 $, and
- They do not satisfy $ \zeta^k = 1 $ for $ 0 < k < 4 $.

In contrast, $ \zeta_0 = 1 $ and $ \zeta_2 = -1 $ are not primitive because they satisfy $ \zeta^2 = 1 $, violating the second condition.

In [5]:
import numpy as np
import math

n = 4
for k in range(4):
    z = np.round(np.exp(2*np.pi*1j*k/n))
    if z**(n) == 1 and math.gcd(k, n) == 1:
        print(f"Primitive {n}th root of unity: {z}")

Primitive 4th root of unity: 1j
Primitive 4th root of unity: (-0-1j)


### Cyclotomic Polynomial
A **cyclotomic polynomial** is a special type of polynomial defined as the unique irreducible polynomial with integer coefficients whose roots are the **primitive roots of unity** $e^{i(2\pi\frac{k}{M})}$, where k runs over the positive integers less than M and coprime to M. The formula is equal to:

$$
\Phi_{M}(x) = \prod_{\substack{1 \leq k \leq M \\ \gcd(k, M) = 1}} \left(x - e^{2i\pi \frac{k}{M}}\right)
$$



#### Example of a Cyclotomic Polynomial

Let’s take $M = 3$. The **cyclotomic polynomial** $\Phi_3(x)$ corresponds to the primitive 3rd roots of unity. These are the roots of $e^{i(2\pi k / 3)}$ for $k$ coprime to $3$ and $1 \leq k < 3$. 

1. **Primitive 3rd Roots of Unity**:
   - $k = 1$: $e^{i(2\pi \cdot 1 / 3)} = e^{i2\pi/3}$,
   - $k = 2$: $e^{i(2\pi \cdot 2 / 3)} = e^{i4\pi/3}$.

2. **Cyclotomic Polynomial Formula**:
   Using the formula:
   $$
   \Phi_3(x) = \prod_{\substack{1 \leq k \leq 3 \\ \gcd(k, 3) = 1}} \left(x - e^{2i\pi \frac{k}{3}}\right),
   $$
   we have:
   $$
   \Phi_3(x) = \left(x - e^{i2\pi/3}\right)\left(x - e^{i4\pi/3}\right).
   $$

3. **Simplification**:
   Using the fact that the roots are complex conjugates and the polynomial has real coefficients:
   $$
   \Phi_3(x) = x^2 + x + 1.
   $$

Thus, the cyclotomic polynomial for $M = 3$ is:
$$
\Phi_3(x) = x^2 + x + 1.
$$

**Special Case**: $\Phi_M(X) = X^N + 1$

The specific form $\Phi_M(X) = X^N + 1$ arises when:

- $M = 2N$, i.e., $M$ is a power of 2.
- The roots of $\Phi_{2N}(X)$ are the primitive $2N$-th roots of unity.

### 2.1. Roots of $X^N + 1$

The equation $X^N + 1 = 0$ has $N$ distinct roots in the complex plane. These roots are the **odd powers** of $\xi$, a primitive $2N$-th root of unity:

$$
\xi = e^{2\pi i / (2N)}, \quad \text{so } \xi^{2k+1} \text{ for } k = 0, 1, \dots, N-1.
$$


#### Example of Roots of $X^N + 1$

Let’s take $N = 4$. The equation $X^4 + 1 = 0$ has $4$ distinct roots in the complex plane. These roots are the **odd powers** of $\xi$, where $\xi$ is a primitive $8$-th root of unity:

1. **Primitive $8$-th Root of Unity**:
   $$
   \xi = e^{2\pi i / 8} = e^{i\pi/4}.
   $$

2. **Odd Powers of $\xi$**:
   To find the roots of $X^4 + 1 = 0$, we compute $\xi^{2k+1}$ for $k = 0, 1, 2, 3$:
   - For $k = 0$: $\xi^{2 \cdot 0 + 1} = \xi^1 = e^{i\pi/4}$,
   - For $k = 1$: $\xi^{2 \cdot 1 + 1} = \xi^3 = e^{i3\pi/4}$,
   - For $k = 2$: $\xi^{2 \cdot 2 + 1} = \xi^5 = e^{i5\pi/4}$,
   - For $k = 3$: $\xi^{2 \cdot 3 + 1} = \xi^7 = e^{i7\pi/4}$.

3. **Roots**:
   The roots of $X^4 + 1 = 0$ are:
   $$
   e^{i\pi/4}, \quad e^{i3\pi/4}, \quad e^{i5\pi/4}, \quad e^{i7\pi/4}.
   $$

#### 2.2. Factorization

The polynomial $X^N + 1$ factors as:

$$
X^N + 1 = \prod_{k=0}^{N-1} \left( X - \xi^{2k+1} \right),
$$

where $\xi^{2k+1}$ are the odd powers of the primitive $2N$-th root of unity $\xi$.




### Example of Factorization of $X^N + 1$

Let’s continue with $N = 4$. The equation $X^4 + 1 = 0$ can be factored using the formula:

**Factorization**:
   Substituting these roots into the factorization formula:
   $$
   X^4 + 1 = \left( X - e^{i\pi/4} \right)\left( X - e^{i3\pi/4} \right)\left( X - e^{i5\pi/4} \right)\left( X - e^{i7\pi/4} \right).
   $$

### Isomorphism

An isomorphism between two algebraic structures is a bijective homomorphism.

**Addition Preservation**:
$\sigma(m1 + m2) = \sigma(m1) + \sigma(m2)$

**Multiplication Preservation**:
$\sigma(m1 * m2) = \sigma(m1) \circ \sigma(m2)$

- Injectivity: No two distinct polynomials map to the same vector under σ.
- Surjectivity: Every vector in ${C^N}$ (satisfying the necessary properties) is the image of some polynomial under σσ.

#### Example of Isomorphism

Let’s illustrate an isomorphism using a simple example of polynomials and vectors.

1. **Algebraic Structures**:
   - Consider the space of polynomials with coefficients in $\mathbb{R}$, up to degree 1: $P = \{a + bx \mid a, b \in \mathbb{R}\}$.
   - Consider the 2-dimensional vector space over $\mathbb{R}$: $V = \mathbb{R}^2$.

2. **Isomorphism Definition**:
   Define a map $\sigma: P \to V$ as:
   $$
   \sigma(a + bx) = \begin{bmatrix} a \\ b \end{bmatrix}.
   $$

3. **Addition Preservation**:
   For $p_1(x) = 1 + 2x$ and $p_2(x) = 3 + 4x$, we have:
   $$
   p_1(x) + p_2(x) = (1 + 2x) + (3 + 4x) = 4 + 6x.
   $$
   Applying $\sigma$:
   $$
   \sigma(p_1 + p_2) = \sigma(4 + 6x) = \begin{bmatrix} 4 \\ 6 \end{bmatrix}.
   $$
   Separately:
   $$
   \sigma(p_1) + \sigma(p_2) = \begin{bmatrix} 1 \\ 2 \end{bmatrix} + \begin{bmatrix} 3 \\ 4 \end{bmatrix} = \begin{bmatrix} 4 \\ 6 \end{bmatrix}.
   $$
   Addition is preserved: $\sigma(p_1 + p_2) = \sigma(p_1) + \sigma(p_2)$.

4. **Multiplication Preservation**:
   For scalar multiplication by 2 on $p_1(x) = 1 + 2x$:
   $$
   2 \cdot p_1(x) = 2 \cdot (1 + 2x) = 2 + 4x.
   $$
   Applying $\sigma$:
   $$
   \sigma(2 \cdot p_1) = \sigma(2 + 4x) = \begin{bmatrix} 2 \\ 4 \end{bmatrix}.
   $$
   Separately:
   $$
   2 \cdot \sigma(p_1) = 2 \cdot \begin{bmatrix} 1 \\ 2 \end{bmatrix} = \begin{bmatrix} 2 \\ 4 \end{bmatrix}.
   $$
   Multiplication is preserved: $\sigma(2 \cdot p_1) = 2 \cdot \sigma(p_1)$.

5. **Injectivity**:
   If $\sigma(p_1) = \sigma(p_2)$, then:
   $$
   \begin{bmatrix} a_1 \\ b_1 \end{bmatrix} = \begin{bmatrix} a_2 \\ b_2 \end{bmatrix},
   $$
   implying $p_1(x) = a_1 + b_1x = a_2 + b_2x = p_2(x)$.

6. **Surjectivity**:
   Every vector in $\mathbb{R}^2$ can be written as $\begin{bmatrix} a \\ b \end{bmatrix}$, which corresponds to the polynomial $a + bx$ in $P$.

Thus, $\sigma$ is a bijective homomorphism and an isomorphism between $P$ and $V$.

